risepro | b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

General

Target

conan.exe
Size

822KB
MD5

f29bb9918f3803046c2bab24c20b458d
SHA1

c162f42333a6a7ef23ea9fc17e470daece374b6c
SHA256

b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993
SHA512

e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164
SSDEEP

24576:OYHymN8tZiUqGvCBSYcjOaTKsB5Oih4un0:OYRNyZiUqwCgYWHhn

Score

10^/10

risepro collection discovery persistence spyware stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

conan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	conan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
4 ipinfo.io

flow	ioc
3	ipinfo.io
4	ipinfo.io

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conan.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2596 schtasks.exe
2608 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

conan.exe

pid process

1220 conan.exe

pid	process
2596	schtasks.exe
2608	schtasks.exe

pid	process
1220	conan.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

conan.exe

description	pid	process	target process
PID 1220 wrote to memory of 2596	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2596	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2596	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2596	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2608	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2608	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2608	1220	conan.exe	schtasks.exe
PID 1220 wrote to memory of 2608	1220	conan.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

outlook_win_path 1 IoCs

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

C:\Users\Admin\AppData\Local\Temp\conan.exe
"C:\Users\Admin\AppData\Local\Temp\conan.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\heidi7rWV4SyA44yO\MyTxU0ECGLINWeb Data

Filesize
92KB

MD5
cecd507c6f492a99481169aee2953402

SHA1
92eb8f999e617fe6389d446f86c13da4345a3591

SHA256
861e59e3dd349b246bbdbfb17b8771899df01feb9439e60e3f38cf5c221cfeda

SHA512
e8a2bdfa874c0141e41766dd416675c931ac17e05cd8afaa4b729e9e2deef317aa8a1a848976fcedae4ab39c7b88db42c1205a7572b283fd4f97068bd5ec424c

Download Submit
memory/1220-0-0x0000000000220000-0x00000000002CB000-memory.dmp

Filesize
684KB

Download
memory/1220-1-0x0000000000220000-0x00000000002CB000-memory.dmp

Filesize
684KB

Download
memory/1220-2-0x0000000004570000-0x00000000046BF000-memory.dmp

Filesize
1.3MB

Download
memory/1220-3-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/1220-6-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/1220-8-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/1220-9-0x0000000000220000-0x00000000002CB000-memory.dmp

Filesize
684KB

Download
memory/1220-10-0x0000000004570000-0x00000000046BF000-memory.dmp

Filesize
1.3MB

Download
memory/1220-53-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/1220-54-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/1220-55-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads